deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-17 07:47:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merged PR 9945: 7/19 AM Publish

Browse Source
This commit is contained in:
Huaping Yu (Beyondsoft Consulting Inc) 2018-07-19 17:30:27 +00:00
commit 298df6095e
36 changed files with 1182 additions and 176 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
browsers/edge/TOC.md
View File

@ -1,8 +1,6 @@
#[Microsoft Edge - Deployment Guide for IT Pros](index.md)
##[New Microsoft Edge Group Policies and MDM settings](new-policies.md)
##[Deploy Microsoft Edge kiosk mode](microsoft-edge-kiosk-mode-deploy.md)
##[Change history for Microsoft Edge](change-history-for-microsoft-edge.md)

BIN
browsers/edge/images/set-default-search-engine.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 138 KiB

After

Width:  |  Height:  |  Size: 154 KiB

8
browsers/edge/includes/allow-adobe-flash-include.md
View File

@ -6,10 +6,10 @@
### Allowed values
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
|Disabled |0 |0 |Prevented/not allowed | |
|Enabled<br>**(default)** |1 |1 |Allowed | |
|Group Policy |MDM |Registry |Description |
|---|:---:|:---:|---|
|Disabled |0 |0 |Prevented/not allowed |
|Enabled<br>**(default)** |1 |1 |Allowed |
---
### ADMX info and settings

2
browsers/edge/includes/allow-ext-telemetry-books-tab-include.md
View File

@ -9,7 +9,7 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
|Disabled or not configured<br>**(default)** |0 |0 |Depending on the device configuration, Microsoft Edge gathers only basic diagnostic data. |![Most restricted value](../images/check-gn.png) |
|Enabled |1 |1 |Microsoft Edge gathers both basic and additional diagnostic data. | |
|Enabled |1 |1 |Gathers both basic and additional diagnostic data. | |
---
### ADMX info and settings

8
browsers/edge/includes/allow-sideloading-extensions-include.md
View File

@ -8,7 +8,7 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
|Disabled or not configured |0 |0 |Prevented/not allowed. Disabling does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, enable **Allows development of Windows Store apps and installing them from an integrated development environment (IDE)** policy, located at Windows Components > App Package Deployment.<p>For the MDM setting, enable **ApplicationManagement/AllowDeveloperUnlock**. |![Most restricted value](../images/check-gn.png) |
|Disabled or not configured |0 |0 |Prevented/not allowed. Disabling does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, enable **Allows development of Windows Store apps and installing them from an integrated development environment (IDE)** policy, located at Windows Components > App Package Deployment.<p>For the MDM setting, set the **ApplicationManagement/AllowDeveloperUnlock** policy to 1 (enable). |![Most restricted value](../images/check-gn.png) |
|Enabled<br>**(default)** |1 |1 |Allowed. | |
---
@ -33,12 +33,12 @@
### Related policies
- Allows development of Windows Store apps and installing them from an integrated development environment (IDE): When you enable this policy and the **Allow all trusted apps to install** policy, you allow users to develop Windows Store apps and install them directly from an IDE.
- [Allows development of Windows Store apps and installing them from an integrated development environment (IDE)](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowdeveloperunlock): When you enable this policy and the **Allow all trusted apps to install** policy, you allow users to develop Windows Store apps and install them directly from an IDE.
- Allow all trusted apps to install: When you enable this policy, you can manage the installation of trusted line-of-business (LOB) or developer-signed Windows Store apps.
- [Allow all trusted apps to install](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowalltrustedapps): When you enable this policy, you can manage the installation of trusted line-of-business (LOB) or developer-signed Windows Store apps.
### Related topics
[Enable your device for development](https://docs.microsoft.com/en-us/windows/uwp/get-started/enable-your-device-for-development): Configure your Windows 10 device for development and debugging.
[Enable your device for development](https://docs.microsoft.com/en-us/windows/uwp/get-started/enable-your-device-for-development): Access development features, along with other developer-focused settings to make it possible for you to develop, test, and debug apps. Learn how to configure your environment for development, the difference between Developer Mode and sideloading, and the security risks of Developer mode.
<hr>

2
browsers/edge/includes/allow-web-content-new-tab-page-include.md
View File

@ -11,7 +11,7 @@
|Group Policy |MDM |Registry |Description |
|---|:---:|:---:|---|
|Not configured |Blank |Blank |Users can choose what loads on the New tab page. |
|Disabled |0 |0 |Load a blank page instead of the default New tab page and prevents users from changing it. |
|Disabled |0 |0 |Load a blank page instead of the default New tab page and prevent users from changing it. |
|Enabled **(default)** |1 |1 |Load the default New tab page. |
---

4
browsers/edge/includes/configure-adobe-flash-click-to-run-include.md
View File

@ -8,8 +8,8 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
|Disabled |0 |0 |Loads and runs Adobe Flash content automatically. | |
|Enabled or not configured<br>**(default)** |1 |1 |Does not load or run Adobe Flash content automatically, requiring action from the user before the content loads and runs. For example, clicking the **Click-to-Run** button or clicking the content. |![Most restricted value](../images/check-gn.png) |
|Disabled |0 |0 |Load and run Adobe Flash content automatically. | |
|Enabled or not configured<br>**(default)** |1 |1 |Do not load or run Adobe Flash content automatically. Requires action from the user. |![Most restricted value](../images/check-gn.png) |
---
### ADMX info and settings

8
browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md
View File

@ -8,10 +8,10 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
|Disabled or not configured<br>**(default)** |0 |0 |Microsoft Edge does not collect or send browsing history data. |![Most restricted value](../images/check-gn.png) |
|Enabled |1 |1 |Send intranet history only. | |
|Enabled |2 |2 |Send Internet history only. | |
|Enabled |3 |3 |Send both intranet and Internet history. | |
|Disabled or not configured<br>**(default)** |0 |0 |No data collected or sent |![Most restricted value](../images/check-gn.png) |
|Enabled |1 |1 |Send intranet history only | |
|Enabled |2 |2 |Send Internet history only | |
|Enabled |3 |3 |Send both intranet and Internet history | |
---
>[!IMPORTANT]

6
browsers/edge/includes/configure-cookies-include.md
View File

@ -8,9 +8,9 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
|Enabled |0 |0 |Block all cookies from all sites. |![Most restricted value](../images/check-gn.png) |
|Enabled |1 |1 |Block only coddies from third party websites. | |
|Disabled or not configured<br>**(default)** |2 |2 |Allow all cookies from all sites. | |
|Enabled |0 |0 |Block all cookies from all sites |![Most restricted value](../images/check-gn.png) |
|Enabled |1 |1 |Block only coddies from third party websites | |
|Disabled or not configured<br>**(default)** |2 |2 |Allow all cookies from all sites | |
---
### ADMX info and settings

8
browsers/edge/includes/configure-do-not-track-include.md
View File

@ -1,6 +1,6 @@
<!-- ## Configure Do Not Track -->
>*Supported versions: Microsoft Edge on Windows 10*<br>
>*Default setting: Not configured (Does not send tracking information)*
>*Default setting: Not configured (Do not send tracking information)*
[!INCLUDE [configure-do-not-track-shortdesc](../shortdesc/configure-do-not-track-shortdesc.md)]
@ -8,9 +8,9 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
|Not configured |Blank |Blank |Does not send tracking information, but allow users to choose whether to send tracking information to sites they visit. | |
|Disabled |1 |1 |Never sends tracking information. | |
|Enabled<br>**(default)** |1 |1 |Sends tracking information, including to the third parties whose content may be hosted on the sites visited. |![Most restricted value](../images/check-gn.png) |
|Not configured |Blank |Blank |Do not send tracking information but let users choose to send tracking information to sites they visit. | |
|Disabled |1 |1 |Never send tracking information. | |
|Enabled<br>**(default)** |1 |1 |Send tracking information. |![Most restricted value](../images/check-gn.png) |
---
### ADMX info and settings

6
browsers/edge/includes/configure-favorites-include.md
View File

@ -1,6 +1,2 @@
<!-- ## Configure Favorites -->
>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*<br>
>*Default setting: Disabled or not configured*
>>deprecated
>Deprecated. Use [Provision Favorites](../available-policies.md#provision-favorites).

6
browsers/edge/includes/configure-password-manager-include.md
View File

@ -1,6 +1,6 @@
<!-- ## Configure Password Manager -->
>*Supported versions: Microsoft Edge on Windows 10*<br>
>*Default setting: Enabled (Allowed)
>*Default setting: Enabled (Allowed/users can change the setting)
[!INCLUDE [configure-password-manager-shortdesc](../shortdesc/configure-password-manager-shortdesc.md)]
@ -8,7 +8,7 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
|Not configured |Blank |Blank |Users can choose whether to save and manage passwords locally. | |
|Not configured |Blank |Blank |Users can choose to save and manage passwords locally. | |
|Disabled |0 |no |Not allowed. |![Most restricted value](../images/check-gn.png) |
|Enabled<br>**(default)** |1 |yes |Allowed. | |
---
@ -16,7 +16,7 @@
Verify not allowed/disabled settings:
1. In the upper-right corner of Microsoft Edge or Microsoft Edge for Windows 10 Mobile, click or tap ellipses (…).
2. Click **Settings** and select **View Advanced settings**.
3. Verify the settings **???** are greyed out.
3. Verify the settings **Save Password** is toggled off or on and is greyed out.
### ADMX info and settings
#### ADMX info

4
browsers/edge/includes/configure-pop-up-blocker-include.md
View File

@ -9,8 +9,8 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
|Not configured |Blank |Blank |Users can choose to use Pop-up Blocker. | |
|Disabled<br>**(default)** |0 |0 |Turns off Pop-up Blocker letting pop-ups windows appear. | |
|Enabled |1 |1 |Turns on Pop-up Blocker stopping pop-up windows from appearing. |![Most restricted value](../images/check-gn.png) |
|Disabled<br>**(default)** |0 |0 |Turn off Pop-up Blocker letting pop-up windows open. | |
|Enabled |1 |1 |Turn on Pop-up Blocker stopping pop-up windows from opening. |![Most restricted value](../images/check-gn.png) |
---
### ADMX info and settings

4
browsers/edge/includes/configure-search-suggestions-address-bar-include.md
View File

@ -9,8 +9,8 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
|Not configured<br>**(default)** |Blank |Blank |Users can choose to see search suggestions. | |
|Disabled |0 |0 |Hides the search suggestions. |![Most restricted value](../images/check-gn.png) |
|Enabled |1 |1 |Shows the search suggestions. | |
|Disabled |0 |0 |Prevented/not allowed. Hide the search suggestions. |![Most restricted value](../images/check-gn.png) |
|Enabled |1 |1 |Allowed. Show the search suggestions. | |
---
### ADMX info and settings

8
browsers/edge/includes/configure-start-pages-include.md
View File

@ -6,10 +6,10 @@
### Allowed values
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
|Not configured |Blank |Blank |Microsoft Edge loads the pages specified in App settings as the default Start pages. | |
|Enabled | | |Enter URLs to the pages, separating multiple pages by using angle brackets in the following format:<p>\<support.contoso.com\>\<support.microsoft.com\><p>**Version 1703 or later:**<br>If you do not want to send traffic to Microsoft, use the \<about:blank\> value, which honors both domain and non-domain-joined devices when it is the only configured URL.<p>**Version 1810:**<br>When you enable the Configure Open Microsoft Edge With policy with an option selected, and you enable the Configure Start Pages policy, Microsoft Edge ignores the Configure Start Page policy. | |
|Group Policy |MDM |Registry |Description |
|---|:---:|:---:|---|
|Not configured |Blank |Blank |Load the pages specified in App settings as the default Start pages. |
|Enabled |String |String |Enter the URLs of the pages you want to load as the Start pages, separating each page using angle brackets:<p>\<support.contoso.com\>\<support.microsoft.com\><p>**Version 1703 or later:**<br>If you do not want to send traffic to Microsoft, use the \<about:blank\> value, which honors both domain and non-domain-joined devices when it's the only configured URL.<p>**Version 1810:**<br>When you enable the Configure Open Microsoft Edge With policy with any option selected, and you enable the Configure Start Pages policy, the Configure Open Microsoft Edge With policy takes precedence, ignoring the Configure Start Pages policy. |
---
### Configuration combinations

4
browsers/edge/includes/configure-windows-defender-smartscreen-include.md
View File

@ -9,8 +9,8 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
|Not configured |Blank |Blank |Users can choose to use Windows Defender SmartScreen or not. | |
|Disabled |0 |0 |Turned off. Does not protect users from potential threats and preventing users from turning it on. | |
|Enabled |1 |1 |Turned on. Protects users from potential threats and prevents users from turning it off. |![Most restricted value](../images/check-gn.png) |
|Disabled |0 |0 |Turned off. Do not protect users from potential threats and prevent users from turning it on. | |
|Enabled |1 |1 |Turned on. Protect users from potential threats and prevent users from turning it off. |![Most restricted value](../images/check-gn.png) |
---
To verify Windows Defender SmartScreen is turned off (disabled):

74
browsers/edge/includes/disable-lockdown-of-start-pages-include.md
View File

@ -12,19 +12,6 @@
|Enabled |1 |1 |Unlocked. Users can make changes to all configured start pages.<p>When you enable this policy and define a set of URLs in the Configure Start Pages policy, Microsoft Edge uses the URLs defined in the Configure Open Microsoft Edge With policy. | |
---
### Configuration combinations
| **Configure Open Microsoft Edge With** | **Configure Start Pages** | **Disabled Lockdown of Start Pages** | **Outcome** |
| --- | --- | --- | --- |
| Enabled (applies to all options) | Enabled String | Enabled (all configured start pages are editable) | [\#1: Load URLs defined in the Configure Open Microsoft Edge With policy, and allow users to edit all configured start pages.](#1-load-the-urls-defined-in-the-configure-open-microsoft-edge-with-policy-and-allow-users-to-edit-all-configured-start-pages) |
| Disabled or not configured | Enabled String | Enabled (any Start page configured in the Configured Start Pages policy) | [\#2: Load any start page and allow users to edit their Start pages.](#2-load-any-start-page-configured-using-the-configured-start-pages-policy-and-allow-users-to-edit-their-start-pages) |
| Enabled (Start page) | Enabled String | Blank or not configured | [\#3: Load Start page(s) and prevent users from changing it.](#3-load-the-start-pages-and-prevent-users-from-making-changes) |
| Enabled (New tab page) | Enabled String | Blank or not configured | [\#4: Load New tab page and prevent users from changing it.](#4-load-the-new-tab-page-and-prevent-users-from-making-changes) |
| Enabled (Previous pages) | Enabled String | Blank or not configured | [\#5: Load previously opened pages and prevent users from changing it.](#5-load-the-previously-opened-pages-that-were-opened-when-microsoft-edge-last-closed-and-prevent-users-from-making-changes) |
| Enabled (A specific page or pages) | Enabled String | Blank or not configured | [\#6: Load a specific page or pages and prevent users from changing it.](#6-load-a-specific-page-or-pages-defined-in-the-configure-start-pages-policy-and-prevent-users-from-making-changes) |
| Enabled (A specific page or pages) | Enabled String | Enabled (any Start page configured in Configure Start Pages policy) | [\#7: Load a specific page or pages and allow users to make changes to their Start page.](#7-load-a-specific-page-or-pages-defined-in-the-configure-start-pages-policy-and-allow-users-to-make-changes-to-their-start-page) |
| N/A | Blank or not configured | N/A | Microsoft Edge loads the pages specified in App settings as the default Start pages. |
---
### ADMX info and settings
#### ADMX info
- **GP English name:** Disable lockdown of Start pages
@ -44,68 +31,7 @@
- **Value type:** REG_SZ
### Scenarios
#### \#1: Load URLs defined in the Configure Open Microsoft Edge With policy, and allow users to edit all configured start pages.
1. Enable the **Configure Open Microsoft Edge With** policy. Applies to all options for this policy. <p>
2. In the **Configure Start Pages** policy, enter URLs to the pages, separating multiple pages by using angle brackets:<p>\<support.contoso.com\>\<support.microsoft.com\>
3. Enable the **Disabled Lockdown of Start Pages** policy by selecting *All configured start pages are editable*.
#### \#2: Load any start page and allow users to edit their Start pages.
1. Disable or don't configure the **Configure Open Microsoft Edge With** policy.
2. In the **Configure Start Pages** policy, enter URLs to the pages, separating multiple pages by using angle brackets in the following format:<p> \<support.contoso.com\>\<support.microsoft.com\>
3. Enable the **Disabled Lockdown of Start Pages** policy by selecting *Start pages are not editable*.
#### \#3: Load Start page(s) and prevent users from changing it.
1. Enable the **Configure Open Microsoft Edge With** policy by selecting *Start page*.<p>
2. In the **Configure Start Pages** policy, enter URLs to the pages, separating multiple pages by using angle brackets:<p>\<support.contoso.com\>\<support.microsoft.com\>
3. Disable or don't configure the **Disabled Lockdown of Start Pages** policy.
#### \#4: Load New tab page and prevent users from changing it..
1. Enable the **Configure Open Microsoft Edge With** policy by selecting *New tab page*.<p>
2. In the **Configure Start Pages** policy, enter URLs to the pages, separating multiple pages by using angle brackets:<p>\<support.contoso.com\>\<support.microsoft.com\>
3. Disable or don't configure the **Disabled Lockdown of Start Pages** policy.
#### \#5: Load previously opened pages and prevent users from changing it.
1. Enable the **Configure Open Microsoft Edge With** policy by selecting *Previous pages*.<p>
2. In the **Configure Start Pages** policy, enter URLs to the pages, separating multiple pages by using angle brackets:<p>\<support.contoso.com\>\<support.microsoft.com\>
3. Disable or don't configure the **Disabled Lockdown of Start Pages** policy.
#### \#6: Load a specific page or pages and prevent users from changing it.
1. Enable the **Configure Open Microsoft Edge With** policy by selecting *A specific page or pages*.<p>
2. In the **Configure Start Pages** policy, enter URLs to the pages, separating multiple pages by using angle brackets:<p>\<support.contoso.com\>\<support.microsoft.com\>
3. Disable or don't configure the **Disabled Lockdown of Start Pages** policy.
#### \#7: Load a specific page or pages and allow users to make changes to their Start page.
1. Enable the **Configure Open Microsoft Edge With** policy by selecting *A specific page or pages*. <p>
2. In the **Configure Start Pages** policy, enter URLs to the pages, separating multiple pages by using angle brackets:<p>\<support.contoso.com\>\<support.microsoft.com\>
3. Enable **Disabled Lockdown of Start Pages** by selecting *Start pages are not editable*.
### Related Policies

4
browsers/edge/includes/set-home-button-url-include.md
View File

@ -9,7 +9,7 @@
|Group Policy |MDM |Registry |Description |
|---|:---:|:---:|---|
|Disabled or not configured<br>**(default)** |Blank |Blank |Show the home button and loads the Start page and locks down the home button to prevent users from changing what page loads. |
|Enabled - String |String |String |Enter a URL in string format, for example, https://www.msn.com. A custom URL loads when clicking the home button. You must also enable the [Configure Home Button](../new-policies.md#configure-home-button) policy and select the _Show home button & set a specific page_ option. |
|Enabled - String |String |String |A custom URL loads when clicking the home button. You must also enable the [Configure Home Button](../new-policies.md#configure-home-button) policy and select the _Show home button & set a specific page_ option.<p>Enter a URL in string format, for example, https://www.msn.com. |
---
With these values, you can do any of the following configurations:
@ -40,7 +40,7 @@ Enable the **Configure Home Button** policy and select the _Hide home button_ op
- **MDM name:** Browser/[SetHomeButtonURL](../new-policies.md#set-home-button-url)
- **Supported devices:** Desktop and Mobile
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL
- **Data type:** Integer
- **Data type:** String
#### Registry settings
- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings

18
browsers/edge/microsoft-edge-kiosk-mode-deploy.md
View File

@ -34,7 +34,7 @@ When you set up Microsoft Edge kiosk mode in single-app assigned access, Microso
The single-app Microsoft Edge kiosk mode types include:
1. **Digital / Interactive signage** devices display a specific site in full-screen mode in which Microsoft Edge runs InPrivate mode. Examples of Digital signage are a rotating advertisement or menu. Examples of Interactive signage are an interactive museum display and restaurant order/pay station.
1. **Digital / Interactive signage** devices display a specific site in full-screen mode in which Microsoft Edge runs InPrivate mode. Examples of Digital signage are a rotating advertisement or menu. Examples of Interactive signage include an interactive museum display or a restaurant order/pay station.
2. **Public browsing** devices run a limited multi-tab version of InPrivate and Microsoft Edge is the only app available. Users cant minimize, close, or open new Microsoft Edge windows or customize Microsoft Edge. Users can clear browsing data, downloads and restart Microsoft Edge by clicking the “End session” button. You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. A public library or hotel concierge desk are two examples of public browsing in single-app kiosk device.
@ -56,7 +56,7 @@ The multi-app Microsoft Edge kiosk mode types include:
## Lets get started!
Before you can configure Microsoft Edge kiosk mode, you must set up Microsoft Edge in assigned access. You can set up Microsoft Edge kiosk mode in assigned access using:
- **Windows Settings.** Best for physically setting up a single device as a kiosk. With this method, you set up assigned access and configure the kiosk or digital sign device using Settings. You can configure Microsoft Edge in single-app (kiosk type Full-screen or public browsing) and define a single URL for the Home button, Start page, and New tab page. You can also set the reset after an idle timeout.
- **Windows Settings.** Best for physically setting up a single device as a kiosk. With this method, you set up assigned access and configure the kiosk or digital sign device using Settings. You can configure Microsoft Edge in single-app (kiosk type Full-screen or public browsing) and define a single URL for the Home button, Start page, and New tab page. You can also set the idle timer to restart the kiosk session after a period of inactivity.
- **Microsoft Intune or other MDM service.** Best for setting up multiple devices as a kiosk. With this method, you configure Microsoft Edge in assigned access and configure how Microsoft Edge behaves when its running in kiosk mode with assigned access.
@ -104,7 +104,7 @@ Windows Settings is the simplest and easiest way to set up one or a couple of de
>[!NOTE]
>The URL sets the Home button, Start page, and New tab page.
11. 11. Microsoft Edge in kiosk mode has a built-in timer to help keep data safe in public browsing sessions. When the idle time (no user activity) meets the time limit, a confirmation message prompts the user to continue. If **Continue** is not selected, Microsoft Edge resets to the default URL. You can accept the default value of **5 minutes**, or you can choose your own idle timer value.
11. Microsoft Edge in kiosk mode has a built-in timer to help keep data safe in public browsing sessions. When the idle time (no user activity) meets the time limit, a confirmation message prompts the user to continue. If **Continue** is not selected, Microsoft Edge resets to the default URL. You can accept the default value of **5 minutes**, or you can choose your own idle timer value.
12. Select **Next**, and then select **Close**.
@ -140,8 +140,8 @@ With this method, you can use Microsoft Intune or other MDM services to configur
| **[ConfigureKioskResetAfterIdleTimeout](new-policies.md#configure-kiosk-reset-after-idle-timeout)**<p>![](images/icon-thin-line-computer.png) | Change the time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout<p>**Data type:** Integer<p>**Allowed values:**<ul><li>**0** - No idle timer</li><li>**1-1440 (5 minutes is the default)** - Set reset on idle timer</li></ul> |
| **[HomePages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-homepages)**<p>![](images/icon-thin-line-computer.png) | Set one or more start pages, URLs, to load when Microsoft Edge launches.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages<p>**Data type:** String<p>**Allowed values:**<p>Enter one or more URLs, for example,<br>&nbsp;&nbsp;&nbsp;\<https://www.msn.com\>\<https:/www.bing.com\> |
| **[ConfigureHomeButton](new-policies.md#configure-home-button)**<p>![](images/icon-thin-line-computer.png) | Configure how the Home Button behaves.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton<p>**Data type:** Integer<p> **Allowed values:**<ul><li>**0 (default)** - Not configured. Show home button, and load the default Start page.</li><li>**1** - Enabled. Show home button and load New tab page</li><li>**2** - Enabled. Show home button & set a specific page.</li><li>**3** - Enabled. Hide the home button.</li></ul> |
| **[SetNewTabPageURL](new-policies.md#set-new-tab-page-url)**<p>![](images/icon-thin-line-computer.png) | Set a custom URL for the New tab page.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ <p>**Data type:** String<p>**Allowed values:** Enter a URL, for example, https://www.msn.com |
| **[SetHomeButtonURL](new-policies.md#set-home-button-url)**<p>![](images/icon-thin-line-computer.png) | If you set ConfigureHomeButton to 2, configure the home button URL.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ <p>**Data type:** String<p>**Allowed values:** Enter a URL, for example, https://www.bing.com |
| **[SetNewTabPageURL](new-policies.md#set-new-tab-page-url)**<p>![](images/icon-thin-line-computer.png) | Set a custom URL for the New tab page.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL <p>**Data type:** String<p>**Allowed values:** Enter a URL, for example, https://www.msn.com |
| **[SetHomeButtonURL](new-policies.md#set-home-button-url)**<p>![](images/icon-thin-line-computer.png) | If you set ConfigureHomeButton to 2, configure the home button URL.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL <p>**Data type:** String<p>**Allowed values:** Enter a URL, for example, https://www.bing.com |
---
<br>
3. Restart the device and sign in using the kiosk app user account.
@ -166,8 +166,8 @@ With this method, you can use a provisioning package to configure Microsoft Edge
| **[ConfigureKioskResetAfterIdleTimeout](new-policies.md#configure-kiosk-reset-after-idle-timeout)**<p>![](images/icon-thin-line-computer.png) | Change the time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout<p>**Data type:** Integer<p>**Allowed values:**<ul><li>**0** - No idle timer</li><li>**1-1440 (5 minutes is the default)** - Set reset on idle timer</li></ul> |
| **[HomePages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-homepages)**<p>![](images/icon-thin-line-computer.png) | Set one or more start pages, URLs, to load when Microsoft Edge launches.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages<p>**Data type:** String<p>**Allowed values:**<p>Enter one or more URLs, for example,<br>&nbsp;&nbsp;&nbsp;\<https://www.msn.com\>\<https:/www.bing.com\> |
| **[ConfigureHomeButton](new-policies.md#configure-home-button)**<p>![](images/icon-thin-line-computer.png) | Configure how the Home Button behaves.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton<p>**Data type:** Integer<p> **Allowed values:**<ul><li>**0 (default)** - Not configured. Show home button, and load the default Start page.</li><li>**1** - Enabled. Show home button and load New tab page</li><li>**2** - Enabled. Show home button & set a specific page.</li><li>**3** - Enabled. Hide the home button.</li></ul> |
| **[SetNewTabPageURL](new-policies.md#set-new-tab-page-url)**<p>![](images/icon-thin-line-computer.png) | Set a custom URL for the New tab page.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ <p>**Data type:** String<p>**Allowed values:** Enter a URL, for example, https://www.msn.com |
| **[SetHomeButtonURL](new-policies.md#set-home-button-url)**<p>![](images/icon-thin-line-computer.png) | If you set ConfigureHomeButton to 2, configure the home button URL.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ <p>**Data type:** String<p>**Allowed values:** Enter a URL, for example, https://www.bing.com |
| **[SetNewTabPageURL](new-policies.md#set-new-tab-page-url)**<p>![](images/icon-thin-line-computer.png) | Set a custom URL for the New tab page.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL <p>**Data type:** String<p>**Allowed values:** Enter a URL, for example, https://www.msn.com |
| **[SetHomeButtonURL](new-policies.md#set-home-button-url)**<p>![](images/icon-thin-line-computer.png) | If you set ConfigureHomeButton to 2, configure the home button URL.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL <p>**Data type:** String<p>**Allowed values:** Enter a URL, for example, https://www.bing.com |
---
<br>
4. After youve configured the Microsoft Edge kiosk mode policies, including any of the related policies, its time to build the package.
@ -273,7 +273,7 @@ Use any of the Microsoft Edge policies listed below to enhance the kiosk experie
- **[AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/en-us/windows/client-management/mdm/assignedaccess-csp):** The AssignedAccess configuration service provider (CSP) sets the device to run in kiosk mode. Once the CSP has executed, then the next user login associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration.
- **[Create a provisioning page for Windows 10](https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-create-package):**. Learn to use Windows Configuration Designer (WCD) to create a provisioning package (.ppkg) for configuring devices running Windows 10. The WCD wizard options provide a simple interface to configure desktop, mobile, and kiosk device settings.
- **[Create a provisioning page for Windows 10](https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-create-package):** Learn to use Windows Configuration Designer (WCD) to create a provisioning package (.ppkg) for configuring devices running Windows 10. The WCD wizard options provide a simple interface to configure desktop, mobile, and kiosk device settings.
## Known issues with RS_PRERELEASE build 17718
@ -281,7 +281,7 @@ Use any of the Microsoft Edge policies listed below to enhance the kiosk experie
- **Expected behavior** Microsoft Edge kiosk mode opens the URL on startup.
- **Actual behavior** Microsoft Edge kiosk mode may not open with the URL on startup.
- When you set up Microsoft Edge kiosk mode on a single-app kiosk device you must set the “ConfigureKioskMode” policy because the default behavior is not honored.
- When you set up Microsoft Edge kiosk mode on a single-app kiosk device you must set the “ConfigureKioskMode” policy because the default behavior is not honored.
- **Expected behavior** Microsoft Edge kiosk mode launches in full-screen mode.
- **Actual behavior** Normal Microsoft Edge launches.

47
browsers/edge/new-policies.md
View File

@ -22,30 +22,31 @@ You can find the Microsoft Edge Group Policy settings in the following location
<!-- add links to the below policies -->
- [Allow fullscreen mode](#allow-fullscreen-mode)
- [Allow Microsoft Edge to start and load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed](#allow-microsoft-edge-to-start-and-load-the-start-and-new-tab-page-at-windows-startup-and-each-time-microsoft-edge-is-closed)
- [Allow Prelaunch](#allow-prelaunch)
- [Allow printing](#allow-printing)
- [Allow Saving History](#allow-saving-history)
- [Allow sideloading of Extensions](#allow-sideloading-of-extensions)
- [Configure collection of browsing data for Microsoft 365 Analytics](#configure-collection-of-browsing-data-for-microsoft-365-analytics)
- [Configure Favorites Bar](#configure-favorites-bar)
- [Configure Home Button](#configure-home-button)
- [Configure kiosk mode](#configure-kiosk-mode)
- [Configure kiosk reset after idle timeout](#configure-kiosk-reset-after-idle-timeout)
- [Configure Open Microsoft Edge With](#configure-open-microsoft-edge-with)
- [Prevent certificate error overrides](#prevent-certificate-error-overrides)
- [Prevent turning off required extensions](#prevent-turning-off-required-extensions)
- [Prevent users from turning on browser syncing](#preventusersfromturningonbrowsersyncing)
- [Set Home button URL](#set-home-button-url)
- [Set New Tab page URL](#set-new-tab-page-url)
- _(Modified)_ [Show message when opening sites in Internet Explorer](#showmessagewhenopeninginteretexplorersites)
- [Unlock Home button](#unlock-home-button)
In addition to the new group policies, we added a couple of new MDM policies to align with the existing group policy counterpart.
- [Experience/DoNotSyncBrowserSetting](#donotsyncbrowsersetting)
- [Browser/AllowWebContentOnNewTabPage](#allowwebcontentonnewtabpage)
| **Group Policy** | **New/update?** | **MDM Setting** | **New/update?** |
| --- | --- | --- | --- |
| [Allow fullscreen mode](#allow-fullscreen-mode) | New | AllowFullscreen | New |
| [Allow Microsoft Edge to start and load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed](#allow-microsoft-edge-to-start-and-load-the-start-and-new-tab-page-at-windows-startup-and-each-time-microsoft-edge-is-closed) | New | PreventTabPreloading | New |
| [Allow Prelaunch](#allow-prelaunch) | New | AllowPrelaunch | New |
| [Allow printing](#allow-printing) | New | AllowPrinting | New |
| [Allow Saving History](#allow-saving-history) | New | AllowSavingHistory | New |
| [Allow sideloading of Extensions](#allow-sideloading-of-extensions) | New | AllowSideloadingOfExtensions | New |
| Allow web content on new tab page | -- | [Browser/AllowWebContentOnNewTabPage](#allowwebcontentonnewtabpage) | New |
| [Configure collection of browsing data for Microsoft 365 Analytics](#configure-collection-of-browsing-data-for-microsoft-365-analytics) | New | ConfigureTelemetryForMicrosoft365Analytics | New |
| [Configure Favorites Bar](#configure-favorites-bar) | New | ConfigureFavoritesBar | New |
| [Configure Home Button](#configure-home-button) | New | ConfigureHomeButton | New |
| [Configure kiosk mode](#configure-kiosk-mode) | New | ConfigureKioskMode | New |
| [Configure kiosk reset after idle timeout](#configure-kiosk-reset-after-idle-timeout) | New | ConfigureKioskResetAfterIdleTimeout | New |
| [Configure Open Microsoft Edge With](#configure-open-microsoft-edge-with) | New | ConfigureOpenMicrosoftEdgeWith | New |
| Do not sync browser settings | -- | [Experience/DoNotSyncBrowserSetting](#donotsyncbrowsersetting) | New |
| [Prevent certificate error overrides](#prevent-certificate-error-overrides) | New | PreventCertErrorOverrides | New |
| [Prevent users from turning on browser syncing](#preventusersfromturningonbrowsersyncing) | New | PreventUsersFromTurningOnBrowserSyncing | New |
| [Prevent turning off required extensions](#prevent-turning-off-required-extensions) | New | PreventTurningOffRequiredExtensions | New |
| [Set Home button URL](#set-home-button-url) | New | SetHomeButtonURL | New |
| [Set New Tab page URL](#set-new-tab-page-url) | New | SetNewTabPageURL | New |
| [Show message when opening sites in Internet Explorer](#showmessagewhenopeninginteretexplorersites) | Updated | ShowMessageWhenOpeningInteretExplorerSites | Updated |
| [Unlock Home button](#unlock-home-button) | New | UnlockHomeButton | New |
---
We are also deprecating the **Configure Favorites** group policy because no MDM equivalent existed. Use the **[Provision Favorites](available-policies.md#provision-favorites)** in place of Configure Favorites.

2
browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md
View File

@ -1 +1 @@
Microsoft Edge supports Adobe Flash as a built-in feature rather than as an external add-on and updates automatically via Windows Update. By default, Microsoft Edge prevents Adobe Flash content from loading automatically, requiring action from the user. Depending on how often the content loads and runs, the sites for the content gets added to the auto-allowed list. Disable this policy if you want Adobe Flash content to load automatically.
Microsoft Edge supports Adobe Flash as a built-in feature rather than as an external add-on and updates automatically via Windows Update. By default, Microsoft Edge prevents Adobe Flash content from loading automatically, requiring action from the user, for example, clicking the **Click-to-Run** button. Depending on how often the content loads and runs, the sites for the content gets added to the auto-allowed list. Disable this policy if you want Adobe Flash content to load automatically.

2
browsers/edge/shortdesc/configure-do-not-track-shortdesc.md
View File

@ -1 +1 @@
By default, Microsoft Edge does not send Do Not Track requests to websites asking for tracking information, but users can choose to send tracking information to sites they visit. With this policy, you can configure Microsoft Edge to send or never send tracking information.
Microsoft Edge does not send Do Not Track requests to websites asking for tracking information, but users can choose to send tracking information to sites they visit. With this policy, you can configure Microsoft Edge to send or never send tracking information.

2
browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md
View File

@ -1 +1 @@
Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. With this policy, and you have sites or apps that use this technology, you can configure Microsoft Edge to check the Enterprise Mode Site List XML file that lists the sites and domains with compatibility issues and automatically switch to IE11. You can use the same site list for both Microsoft Edge and IE11, or you can use separate lists. By default, Microsoft Edge ignores the Enterprise Mode and the Enterprise Mode Site List XML file. In this case, users might experience problems while using legacy apps. These sites and domains must be viewed using Internet Explorer 11 and Enterprise Mode.
Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have sites or apps that use this technology, you can configure Microsoft Edge to check the Enterprise Mode Site List XML file that lists the sites and domains with compatibility issues and switch to IE11 automatically. You can use the same site list for both Microsoft Edge and IE11, or you can use separate lists. By default, Microsoft Edge ignores the Enterprise Mode and the Enterprise Mode Site List XML file. In this case, users might experience problems while using legacy apps. These sites and domains must be viewed using Internet Explorer 11 and Enterprise Mode.

2
browsers/edge/shortdesc/configure-pop-up-blocker-shortdesc.md
View File

@ -1 +1 @@
By default, Microsoft Edge turns off Pop-up Blocker allowing pop-up windows to appear. Enabling this policy turns on Pop-up Blocker stopping pop-up windows from appearing. Dont configure this policy to let users choose to use Pop-up Blocker.
Microsoft Edge turns off Pop-up Blocker allowing pop-up windows to appear. Enabling this policy turns on Pop-up Blocker stopping pop-up windows from appearing. Dont configure this policy to let users choose to use Pop-up Blocker.

2
browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md
View File

@ -1 +1 @@
By default, Microsoft Edge uses Windows Defender SmartScreen (turned on) to protect users from potential phishing scams and malicious software. Also by default, users cannot disable (turn off) Windows Defender SmartScreen. Enabling this policy turns off Windows Defender SmartScreen and prevent users from turning it on. Dont configure this policy to let users choose to turn Windows defender SmartScreen on or off.
Microsoft Edge uses Windows Defender SmartScreen (turned on) to protect users from potential phishing scams and malicious software by default. Also, by default, users cannot disable (turn off) Windows Defender SmartScreen. Enabling this policy turns off Windows Defender SmartScreen and prevent users from turning it on. Dont configure this policy to let users choose to turn Windows defender SmartScreen on or off.

2
windows/client-management/connect-to-remote-aadj-pc.md
View File

@ -19,7 +19,7 @@ ms.date: 11/28/2017
- Windows 10
From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup).
From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/user-help/device-management-azuread-joined-devices-setup).
![Remote Desktop Connection client](images/rdp.png)

6
windows/client-management/mdm/defender-csp.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 01/29/2018
ms.date: 07/18/2018
---
# Defender CSP
@ -185,9 +185,9 @@ The following list shows the supported values:
- 0 = Clean
- 1 = Pending full scan
- 2 = Pending reboot
- 4 = Pending manual steps
- 4 = Pending manual steps (Windows Defender is waiting for the user to take some action, such as restarting the computer or running a full scan)
- 8 = Pending offline scan
- 16 = Pending critical failure
- 16 = Pending critical failure (Windows Defender has failed critically and an Adminsitrator needs to investigate and take some action, such as restarting the computer or reinstalling Windows Defender)
Supported operation is Get.

9
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -1707,6 +1707,15 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li>Start/StartLayout - added a table of SKU support information.</li>
<li>Start/ImportEdgeAssets - added a table of SKU support information.</li>
</ul>
<p>Added the following new policies in Windows 10, next major version:</p>
<ul>
<li>Update/EngagedRestartDeadlineForFeatureUpdates</li>
<li>Update/EngagedRestartSnoozeScheduleForFeatureUpdates</li>
<li>Update/EngagedRestartTransitionScheduleForFeatureUpdates</li>
<li>Update/SetDisablePauseUXAccess</li>
<li>Update/SetDisableUXWUAccess</li>
<li>Update/UpdateNotificationKioskMode</li>
</ul>
</td></tr>
<tr>
<td style="vertical-align:top">[WiredNetwork CSP](wirednetwork-csp.md)</td>

52
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -763,6 +763,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-defender.md#defender-avgcpuloadfactor" id="defender-avgcpuloadfactor">Defender/AvgCPULoadFactor</a>
</dd>
<dd>
<a href="./policy-csp-defender.md#defender-checkforsignaturesbeforerunningscan" id="defender-checkforsignaturesbeforerunningscan">Defender/CheckForSignaturesBeforeRunningScan</a>
</dd>
<dd>
<a href="./policy-csp-defender.md#defender-cloudblocklevel" id="defender-cloudblocklevel">Defender/CloudBlockLevel</a>
</dd>
@ -778,9 +781,18 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-defender.md#defender-daystoretaincleanedmalware" id="defender-daystoretaincleanedmalware">Defender/DaysToRetainCleanedMalware</a>
</dd>
<dd>
<a href="./policy-csp-defender.md#defender-disablecatchupfullscan" id="defender-disablecatchupfullscan">Defender/DisableCatchupFullScan</a>
</dd>
<dd>
<a href="./policy-csp-defender.md#defender-disablecatchupquickscan" id="defender-disablecatchupquickscan">Defender/DisableCatchupQuickScan</a>
</dd>
<dd>
<a href="./policy-csp-defender.md#defender-enablecontrolledfolderaccess" id="defender-enablecontrolledfolderaccess">Defender/EnableControlledFolderAccess</a>
</dd>
<dd>
<a href="./policy-csp-defender.md#defender-enablelowcpupriority" id="defender-enablelowcpupriority">Defender/EnableLowCPUPriority</a>
</dd>
<dd>
<a href="./policy-csp-defender.md#defender-enablenetworkprotection" id="defender-enablenetworkprotection">Defender/EnableNetworkProtection</a>
</dd>
@ -811,6 +823,12 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-defender.md#defender-schedulescantime" id="defender-schedulescantime">Defender/ScheduleScanTime</a>
</dd>
<dd>
<a href="./policy-csp-defender.md#defender-signatureupdatefallbackorder" id="defender-signatureupdatefallbackorder">Defender/SignatureUpdateFallbackOrder</a>
</dd>
<dd>
<a href="./policy-csp-defender.md#defender-signatureupdatefilesharessources" id="defender-signatureupdatefilesharessources">Defender/SignatureUpdateFileSharesSources</a>
</dd>
<dd>
<a href="./policy-csp-defender.md#defender-signatureupdateinterval" id="defender-signatureupdateinterval">Defender/SignatureUpdateInterval</a>
</dd>
@ -3209,6 +3227,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-update.md#update-autorestartdeadlineperiodindays" id="update-autorestartdeadlineperiodindays">Update/AutoRestartDeadlinePeriodInDays</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-autorestartdeadlineperiodindaysforfeatureupdates" id="update-autorestartdeadlineperiodindaysforfeatureupdates">Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-autorestartnotificationschedule" id="update-autorestartnotificationschedule">Update/AutoRestartNotificationSchedule</a>
</dd>
@ -3242,12 +3263,21 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-update.md#update-engagedrestartdeadline" id="update-engagedrestartdeadline">Update/EngagedRestartDeadline</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-engagedrestartdeadlineforfeatureupdates" id="update-engagedrestartdeadlineforfeatureupdates">Update/EngagedRestartDeadlineForFeatureUpdates</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-engagedrestartsnoozeschedule" id="update-engagedrestartsnoozeschedule">Update/EngagedRestartSnoozeSchedule</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-engagedrestartsnoozescheduleforfeatureupdates" id="update-engagedrestartsnoozescheduleforfeatureupdates">Update/EngagedRestartSnoozeScheduleForFeatureUpdates</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-engagedrestarttransitionschedule" id="update-engagedrestarttransitionschedule">Update/EngagedRestartTransitionSchedule</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-engagedrestarttransitionscheduleforfeatureupdates" id="update-engagedrestarttransitionscheduleforfeatureupdates">Update/EngagedRestartTransitionScheduleForFeatureUpdates</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-excludewudriversinqualityupdate" id="update-excludewudriversinqualityupdate">Update/ExcludeWUDriversInQualityUpdate</a>
</dd>
@ -3317,9 +3347,18 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-update.md#update-setautorestartnotificationdisable" id="update-setautorestartnotificationdisable">Update/SetAutoRestartNotificationDisable</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-setdisablepauseuxaccess" id="update-setdisablepauseuxaccess">Update/SetDisablePauseUXAccess</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-setdisableuxwuaccess" id="update-setdisableuxwuaccess">Update/SetDisableUXWUAccess</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-setedurestart" id="update-setedurestart">Update/SetEDURestart</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-updatenotificationkioskmode" id="update-updatenotificationkioskmode">Update/UpdateNotificationKioskMode</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-updateserviceurl" id="update-updateserviceurl">Update/UpdateServiceUrl</a>
</dd>
@ -4103,12 +4142,16 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Defender/AttackSurfaceReductionOnlyExclusions](./policy-csp-defender.md#defender-attacksurfacereductiononlyexclusions)
- [Defender/AttackSurfaceReductionRules](./policy-csp-defender.md#defender-attacksurfacereductionrules)
- [Defender/AvgCPULoadFactor](./policy-csp-defender.md#defender-avgcpuloadfactor)
- [Defender/CheckForSignaturesBeforeRunningScan](./policy-csp-defender.md#defender-checkforsignaturesbeforerunningscan)
- [Defender/CloudBlockLevel](./policy-csp-defender.md#defender-cloudblocklevel)
- [Defender/CloudExtendedTimeout](./policy-csp-defender.md#defender-cloudextendedtimeout)
- [Defender/ControlledFolderAccessAllowedApplications](./policy-csp-defender.md#defender-controlledfolderaccessallowedapplications)
- [Defender/ControlledFolderAccessProtectedFolders](./policy-csp-defender.md#defender-controlledfolderaccessprotectedfolders)
- [Defender/DaysToRetainCleanedMalware](./policy-csp-defender.md#defender-daystoretaincleanedmalware)
- [Defender/DisableCatchupFullScan](./policy-csp-defender.md#defender-disablecatchupfullscan)
- [Defender/DisableCatchupQuickScan](./policy-csp-defender.md#defender-disablecatchupquickscan)
- [Defender/EnableControlledFolderAccess](./policy-csp-defender.md#defender-enablecontrolledfolderaccess)
- [Defender/EnableLowCPUPriority](./policy-csp-defender.md#defender-enablelowcpupriority)
- [Defender/EnableNetworkProtection](./policy-csp-defender.md#defender-enablenetworkprotection)
- [Defender/ExcludedExtensions](./policy-csp-defender.md#defender-excludedextensions)
- [Defender/ExcludedPaths](./policy-csp-defender.md#defender-excludedpaths)
@ -4118,6 +4161,8 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Defender/ScheduleQuickScanTime](./policy-csp-defender.md#defender-schedulequickscantime)
- [Defender/ScheduleScanDay](./policy-csp-defender.md#defender-schedulescanday)
- [Defender/ScheduleScanTime](./policy-csp-defender.md#defender-schedulescantime)
- [Defender/SignatureUpdateFallbackOrder](./policy-csp-defender.md#defender-signatureupdatefallbackorder)
- [Defender/SignatureUpdateFileSharesSources](./policy-csp-defender.md#defender-signatureupdatefilesharessources)
- [Defender/SignatureUpdateInterval](./policy-csp-defender.md#defender-signatureupdateinterval)
- [Defender/SubmitSamplesConsent](./policy-csp-defender.md#defender-submitsamplesconsent)
- [Defender/ThreatSeverityDefaultAction](./policy-csp-defender.md#defender-threatseveritydefaultaction)
@ -4693,6 +4738,7 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Update/AllowMUUpdateService](./policy-csp-update.md#update-allowmuupdateservice)
- [Update/AllowUpdateService](./policy-csp-update.md#update-allowupdateservice)
- [Update/AutoRestartDeadlinePeriodInDays](./policy-csp-update.md#update-autorestartdeadlineperiodindays)
- [Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates](./policy-csp-update.md#update-autorestartdeadlineperiodindaysforfeatureupdates)
- [Update/AutoRestartNotificationSchedule](./policy-csp-update.md#update-autorestartnotificationschedule)
- [Update/AutoRestartRequiredNotificationDismissal](./policy-csp-update.md#update-autorestartrequirednotificationdismissal)
- [Update/BranchReadinessLevel](./policy-csp-update.md#update-branchreadinesslevel)
@ -4703,8 +4749,11 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Update/DetectionFrequency](./policy-csp-update.md#update-detectionfrequency)
- [Update/DisableDualScan](./policy-csp-update.md#update-disabledualscan)
- [Update/EngagedRestartDeadline](./policy-csp-update.md#update-engagedrestartdeadline)
- [Update/EngagedRestartDeadlineForFeatureUpdates](./policy-csp-update.md#update-engagedrestartdeadlineforfeatureupdates)
- [Update/EngagedRestartSnoozeSchedule](./policy-csp-update.md#update-engagedrestartsnoozeschedule)
- [Update/EngagedRestartSnoozeScheduleForFeatureUpdates](./policy-csp-update.md#update-engagedrestartsnoozescheduleforfeatureupdates)
- [Update/EngagedRestartTransitionSchedule](./policy-csp-update.md#update-engagedrestarttransitionschedule)
- [Update/EngagedRestartTransitionScheduleForFeatureUpdates](./policy-csp-update.md#update-engagedrestarttransitionscheduleforfeatureupdates)
- [Update/ExcludeWUDriversInQualityUpdate](./policy-csp-update.md#update-excludewudriversinqualityupdate)
- [Update/FillEmptyContentUrls](./policy-csp-update.md#update-fillemptycontenturls)
- [Update/ManagePreviewBuilds](./policy-csp-update.md#update-managepreviewbuilds)
@ -4724,7 +4773,10 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Update/ScheduledInstallThirdWeek](./policy-csp-update.md#update-scheduledinstallthirdweek)
- [Update/ScheduledInstallTime](./policy-csp-update.md#update-scheduledinstalltime)
- [Update/SetAutoRestartNotificationDisable](./policy-csp-update.md#update-setautorestartnotificationdisable)
- [Update/SetDisablePauseUXAccess](./policy-csp-update.md#update-setdisablepauseuxaccess)
- [Update/SetDisableUXWUAccess](./policy-csp-update.md#update-setdisableuxwuaccess)
- [Update/SetEDURestart](./policy-csp-update.md#update-setedurestart)
- [Update/UpdateNotificationKioskMode](./policy-csp-update.md#update-updatenotificationkioskmode)
- [Update/UpdateServiceUrl](./policy-csp-update.md#update-updateserviceurl)
- [Update/UpdateServiceUrlAlternate](./policy-csp-update.md#update-updateserviceurlalternate)
- [UserRights/AccessCredentialManagerAsTrustedCaller](./policy-csp-userrights.md#userrights-accesscredentialmanagerastrustedcaller)

444
windows/client-management/mdm/policy-csp-defender.md
View File

@ -6,11 +6,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 05/14/2018
ms.date: 07/03/2018
---
# Policy CSP - Defender
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>
@ -67,6 +69,9 @@ ms.date: 05/14/2018
<dd>
<a href="#defender-avgcpuloadfactor">Defender/AvgCPULoadFactor</a>
</dd>
<dd>
<a href="#defender-checkforsignaturesbeforerunningscan">Defender/CheckForSignaturesBeforeRunningScan</a>
</dd>
<dd>
<a href="#defender-cloudblocklevel">Defender/CloudBlockLevel</a>
</dd>
@ -82,9 +87,18 @@ ms.date: 05/14/2018
<dd>
<a href="#defender-daystoretaincleanedmalware">Defender/DaysToRetainCleanedMalware</a>
</dd>
<dd>
<a href="#defender-disablecatchupfullscan">Defender/DisableCatchupFullScan</a>
</dd>
<dd>
<a href="#defender-disablecatchupquickscan">Defender/DisableCatchupQuickScan</a>
</dd>
<dd>
<a href="#defender-enablecontrolledfolderaccess">Defender/EnableControlledFolderAccess</a>
</dd>
<dd>
<a href="#defender-enablelowcpupriority">Defender/EnableLowCPUPriority</a>
</dd>
<dd>
<a href="#defender-enablenetworkprotection">Defender/EnableNetworkProtection</a>
</dd>
@ -115,6 +129,12 @@ ms.date: 05/14/2018
<dd>
<a href="#defender-schedulescantime">Defender/ScheduleScanTime</a>
</dd>
<dd>
<a href="#defender-signatureupdatefallbackorder">Defender/SignatureUpdateFallbackOrder</a>
</dd>
<dd>
<a href="#defender-signatureupdatefilesharessources">Defender/SignatureUpdateFileSharesSources</a>
</dd>
<dd>
<a href="#defender-signatureupdateinterval">Defender/SignatureUpdateInterval</a>
</dd>
@ -1101,6 +1121,78 @@ Valid values: 0100
<hr/>
<!--Policy-->
<a href="" id="defender-checkforsignaturesbeforerunningscan"></a>**Defender/CheckForSignaturesBeforeRunningScan**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to manage whether a check for new virus and spyware definitions will occur before running a scan.
This setting applies to scheduled scans as well as the command line "mpcmdrun -SigUpdate", but it has no effect on scans initiated manually from the user interface.
If you enable this setting, a check for new definitions will occur before running a scan.
If you disable this setting or do not configure this setting, the scan will start using the existing definitions.
Supported values:
- 0 (default) - Disabled
- 1 - Enabled
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Check for the latest virus and spyware definitions before running a scheduled scan*
- GP name: *CheckForSignaturesBeforeRunningScan*
- GP element: *CheckForSignaturesBeforeRunningScan*
- GP path: *Windows Components/Windows Defender Antivirus/Scan*
- GP ADMX file name: *WindowsDefender.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="defender-cloudblocklevel"></a>**Defender/CloudBlockLevel**
@ -1408,6 +1500,146 @@ Valid values: 090
<hr/>
<!--Policy-->
<a href="" id="defender-disablecatchupfullscan"></a>**Defender/DisableCatchupFullScan**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.
If you enable this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run.
If you disable or do not configure this setting, catch-up scans for scheduled full scans will be turned off.
Supported values:
- 0 - Disabled
- 1 - Enabled (default)
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Turn on catch-up full scan*
- GP name: *Scan_DisableCatchupFullScan*
- GP element: *Scan_DisableCatchupFullScan*
- GP path: *Windows Components/Windows Defender Antivirus/Scan*
- GP ADMX file name: *WindowsDefender.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="defender-disablecatchupquickscan"></a>**Defender/DisableCatchupQuickScan**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.
If you enable this setting, catch-up scans for scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured, there will be no catch-up scan run.
If you disable or do not configure this setting, catch-up scans for scheduled quick scans will be turned off.
Supported values:
- 0 - Disabled
- 1 - Enabled (default)
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Turn on catch-up quick scan*
- GP name: *Scan_DisableCatchupQuickScan*
- GP element: *Scan_DisableCatchupQuickScan*
- GP path: *Windows Components/Windows Defender Antivirus/Scan*
- GP ADMX file name: *WindowsDefender.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="defender-enablecontrolledfolderaccess"></a>**Defender/EnableControlledFolderAccess**
@ -1471,6 +1703,76 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="defender-enablelowcpupriority"></a>**Defender/EnableLowCPUPriority**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to enable or disable low CPU priority for scheduled scans.
If you enable this setting, low CPU priority will be used during scheduled scans.
If you disable or do not configure this setting, not changes will be made to CPU priority for scheduled scans.
Supported values:
- 0 - Disabled (default)
- 1 - Enabled
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Configure low CPU priority for scheduled scans*
- GP name: *Scan_LowCpuPriority*
- GP element: *Scan_LowCpuPriority*
- GP path: *Windows Components/Windows Defender Antivirus/Scan*
- GP ADMX file name: *WindowsDefender.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="defender-enablenetworkprotection"></a>**Defender/EnableNetworkProtection**
@ -2110,6 +2412,145 @@ Valid values: 01380.
<hr/>
<!--Policy-->
<a href="" id="defender-signatureupdatefallbackorder"></a>**Defender/SignatureUpdateFallbackOrder**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to define the order in which different definition update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources in order.
Possible values are:
- InternalDefinitionUpdateServer
- MicrosoftUpdateServer
- MMPC
- FileShares
For example: { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC }
If you enable this setting, definition update sources will be contacted in the order specified. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted.
If you disable or do not configure this setting, definition update sources will be contacted in a default order.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Define the order of sources for downloading definition updates*
- GP name: *SignatureUpdate_FallbackOrder*
- GP element: *SignatureUpdate_FallbackOrder*
- GP path: *Windows Components/Windows Defender Antivirus/Signature Updates*
- GP ADMX file name: *WindowsDefender.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="defender-signatureupdatefilesharessources"></a>**Defender/SignatureUpdateFileSharesSources**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to configure UNC file share sources for downloading definition updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources. For example: "{\\unc1 | \\unc2 }". The list is empty by default.
If you enable this setting, the specified sources will be contacted for definition updates. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted.
If you disable or do not configure this setting, the list will remain empty by default and no sources will be contacted.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Define file shares for downloading definition updates*
- GP name: *SignatureUpdate_DefinitionUpdateFileSharesSources*
- GP element: *SignatureUpdate_DefinitionUpdateFileSharesSources*
- GP path: *Windows Components/Windows Defender Antivirus/Signature Updates*
- GP ADMX file name: *WindowsDefender.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="defender-signatureupdateinterval"></a>**Defender/SignatureUpdateInterval**
@ -2319,6 +2760,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in the next major release of Windows 10.
<!--/Policies-->

571
windows/client-management/mdm/policy-csp-update.md
View File

@ -6,11 +6,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 05/14/2018
ms.date: 07/18/2018
---
# Policy CSP - Update
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>
@ -46,6 +48,9 @@ ms.date: 05/14/2018
<dd>
<a href="#update-autorestartdeadlineperiodindays">Update/AutoRestartDeadlinePeriodInDays</a>
</dd>
<dd>
<a href="#update-autorestartdeadlineperiodindaysforfeatureupdates">Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates</a>
</dd>
<dd>
<a href="#update-autorestartnotificationschedule">Update/AutoRestartNotificationSchedule</a>
</dd>
@ -79,12 +84,21 @@ ms.date: 05/14/2018
<dd>
<a href="#update-engagedrestartdeadline">Update/EngagedRestartDeadline</a>
</dd>
<dd>
<a href="#update-engagedrestartdeadlineforfeatureupdates">Update/EngagedRestartDeadlineForFeatureUpdates</a>
</dd>
<dd>
<a href="#update-engagedrestartsnoozeschedule">Update/EngagedRestartSnoozeSchedule</a>
</dd>
<dd>
<a href="#update-engagedrestartsnoozescheduleforfeatureupdates">Update/EngagedRestartSnoozeScheduleForFeatureUpdates</a>
</dd>
<dd>
<a href="#update-engagedrestarttransitionschedule">Update/EngagedRestartTransitionSchedule</a>
</dd>
<dd>
<a href="#update-engagedrestarttransitionscheduleforfeatureupdates">Update/EngagedRestartTransitionScheduleForFeatureUpdates</a>
</dd>
<dd>
<a href="#update-excludewudriversinqualityupdate">Update/ExcludeWUDriversInQualityUpdate</a>
</dd>
@ -154,9 +168,18 @@ ms.date: 05/14/2018
<dd>
<a href="#update-setautorestartnotificationdisable">Update/SetAutoRestartNotificationDisable</a>
</dd>
<dd>
<a href="#update-setdisablepauseuxaccess">Update/SetDisablePauseUXAccess</a>
</dd>
<dd>
<a href="#update-setdisableuxwuaccess">Update/SetDisableUXWUAccess</a>
</dd>
<dd>
<a href="#update-setedurestart">Update/SetEDURestart</a>
</dd>
<dd>
<a href="#update-updatenotificationkioskmode">Update/UpdateNotificationKioskMode</a>
</dd>
<dd>
<a href="#update-updateserviceurl">Update/UpdateServiceUrl</a>
</dd>
@ -690,11 +713,21 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1703. This policy defines the deadline in days after which a reboot for updates will become mandatory.
For Quality Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled.
Supported values are 2-30 days.
Value type is integer. Default is 7 days.
The default value is 7 days.
Supported values range: 2-30.
Note that the PC must restart for certain updates to take effect.
If you enable this policy, a restart will automatically occur the specified number of days after the restart was scheduled.
If you disable or do not configure this policy, the PC will restart according to the default schedule.
If any of the following two policies are enabled, this policy has no effect:
1. No auto-restart with logged on users for scheduled automatic updates installations.
2. Always automatically restart at scheduled time.
<!--/Description-->
<!--ADMXMapped-->
@ -710,6 +743,81 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="update-autorestartdeadlineperiodindaysforfeatureupdates"></a>**Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
For Feature Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled.
Value type is integer. Default is 7 days.
Supported values range: 2-30.
Note that the PC must restart for certain updates to take effect.
If you enable this policy, a restart will automatically occur the specified number of days after the restart was scheduled.
If you disable or do not configure this policy, the PC will restart according to the default schedule.
If any of the following two policies are enabled, this policy has no effect:
1. No auto-restart with logged on users for scheduled automatic updates installations.
2. Always automatically restart at scheduled time.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Specify deadline before auto-restart for update installation*
- GP name: *AutoRestartDeadline*
- GP element: *AutoRestartDeadlineForFeatureUpdates*
- GP path: *Windows Components/Windows Update*
- GP ADMX file name: *WindowsUpdate.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="update-autorestartnotificationschedule"></a>**Update/AutoRestartNotificationSchedule**
@ -1402,11 +1510,20 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling).
For Quality Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period.
Supported values are 2-30 days.
Value type is integer. Default is 14.
The default value is 0 days (not specified).
Supported value range: 2 - 30.
If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (e.g. pending user scheduling).
If you disable or do not configure this policy, the default behaviors will be used.
If any of the following policies are configured, this policy has no effect:
1. No auto-restart with logged on users for scheduled automatic updates installations
2. Always automatically restart at scheduled time
3. Specify deadline before auto-restart for update installation
<!--/Description-->
<!--ADMXMapped-->
@ -1422,6 +1539,80 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="update-engagedrestartdeadlineforfeatureupdates"></a>**Update/EngagedRestartDeadlineForFeatureUpdates**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
For Feature Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed, within the specified period.
Value type is integer. Default is 14.
Supported value range: 2 - 30.
If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (e.g. pending user scheduling).
If you disable or do not configure this policy, the default behaviors will be used.
If any of the following policies are configured, this policy has no effect:
1. No auto-restart with logged on users for scheduled automatic updates installations
2. Always automatically restart at scheduled time
3. Specify deadline before auto-restart for update installation
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Specify Engaged restart transition and notification schedule for updates*
- GP name: *EngagedRestartTransitionSchedule*
- GP element: *EngagedRestartDeadlineForFeatureUpdates*
- GP path: *Windows Components/Windows Update*
- GP ADMX file name: *WindowsUpdate.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="update-engagedrestartsnoozeschedule"></a>**Update/EngagedRestartSnoozeSchedule**
@ -1458,11 +1649,18 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.
For Quality Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days.
Supported values are 1-3 days.
Value type is integer. Default is 3 days.
The default value is 3 days.
Supported value range: 1 - 3.
If you disable or do not configure this policy, the default behaviors will be used.
If any of the following policies are configured, this policy has no effect:
1. No auto-restart with logged on users for scheduled automatic updates installations
2. Always automatically restart at scheduled time
3. Specify deadline before auto-restart for update installation
<!--/Description-->
<!--ADMXMapped-->
@ -1478,6 +1676,78 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="update-engagedrestartsnoozescheduleforfeatureupdates"></a>**Update/EngagedRestartSnoozeScheduleForFeatureUpdates**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
For Feature Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1 and 3 days.
Value type is integer. Default is 3 days.
Supported value range: 1 - 3.
If you disable or do not configure this policy, the default behaviors will be used.
If any of the following policies are configured, this policy has no effect:
1. No auto-restart with logged on users for scheduled automatic updates installations
2. Always automatically restart at scheduled time
3. Specify deadline before auto-restart for update installation
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Specify Engaged restart transition and notification schedule for updates*
- GP name: *EngagedRestartTransitionSchedule*
- GP element: *EngagedRestartSnoozeScheduleForFeatureUpdates*
- GP path: *Windows Components/Windows Update*
- GP ADMX file name: *WindowsUpdate.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="update-engagedrestarttransitionschedule"></a>**Update/EngagedRestartTransitionSchedule**
@ -1514,11 +1784,18 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
For Quality Updates, this policy specifies the timing before transitioning from Auto restarts scheduled_outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
Supported values are 2-30 days.
Value type is integer.
The default value is 7 days.
Supported value range: 0 - 30.
If you disable or do not configure this policy, the default behaviors will be used.
If any of the following policies are configured, this policy has no effect:
1. No auto-restart with logged on users for scheduled automatic updates installations
2. Always automatically restart at scheduled time
3. Specify deadline before auto-restart for update installation
<!--/Description-->
<!--ADMXMapped-->
@ -1534,6 +1811,78 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="update-engagedrestarttransitionscheduleforfeatureupdates"></a>**Update/EngagedRestartTransitionScheduleForFeatureUpdates**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
For Feature Updates, this policy specifies the timing before transitioning from Auto restarts scheduled_outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
Value type is integer.
Supported value range: 0 - 30.
If you disable or do not configure this policy, the default behaviors will be used.
If any of the following policies are configured, this policy has no effect:
1. No auto-restart with logged on users for scheduled automatic updates installations
2. Always automatically restart at scheduled time
3. Specify deadline before auto-restart for update installation
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Specify Engaged restart transition and notification schedule for updates*
- GP name: *EngagedRestartTransitionSchedule*
- GP element: *EngagedRestartTransitionScheduleForFeatureUpdates*
- GP path: *Windows Components/Windows Update*
- GP ADMX file name: *WindowsUpdate.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="update-excludewudriversinqualityupdate"></a>**Update/ExcludeWUDriversInQualityUpdate**
@ -2871,6 +3220,126 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="update-setdisablepauseuxaccess"></a>**Update/SetDisablePauseUXAccess**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy allows the IT admin to disable the "Pause Updates" feature. When this policy is enabled, the user cannot access the "Pause updates" feature.
Value type is integer. Default is 0. Supported values 0, 1.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP name: *SetDisablePauseUXAccess*
- GP ADMX file name: *WindowsUpdate.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="update-setdisableuxwuaccess"></a>**Update/SetDisableUXWUAccess**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy allows the IT admin to remove access to scan Windows Update. When this policy is enabled, the user cannot access the Windows Update scan, download, and install features.
Value type is integer. Default is 0. Supported values 0, 1.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP name: *SetDisableUXWUAccess*
- GP ADMX file name: *WindowsUpdate.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="update-setedurestart"></a>**Update/SetEDURestart**
@ -2929,6 +3398,74 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="update-updatenotificationkioskmode"></a>**Update/UpdateNotificationKioskMode**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy allows you to define what Windows Update notifications users see. This policy doesnt control how and when updates are downloaded and installed.
Valid values:
- 0 (default) Use the default Windows Update notifications
- 1 Turn off all notifications, excluding restart warnings
- 2 Turn off all notifications, including restart warnings
> [!Important]
> If you choose not to get update notifications and also define the policy “Configure Automatic Updates” so that devices arent automatically getting updates, neither you nor device users will be aware of critical security, quality, or feature updates, and your devices may be at risk.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Display options for update notifications*
- GP name: *UpdateNotificationKioskMode*
- GP path: *Windows Components/Windows Update*
- GP ADMX file name: *WindowsUpdate.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="update-updateserviceurl"></a>**Update/UpdateServiceUrl**
@ -3081,6 +3618,7 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in the next major release of Windows 10.
<!--/Policies-->
@ -3099,11 +3637,18 @@ Footnote:
- [Update/AllowNonMicrosoftSignedUpdate](#update-allownonmicrosoftsignedupdate)
- [Update/AllowUpdateService](#update-allowupdateservice)
- [Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates](#update-autorestartdeadlineperiodindaysforfeatureupdates)
- [Update/EngagedRestartDeadlineForFeatureUpdates](#update-engagedrestartdeadlineforfeatureupdates)
- [Update/EngagedRestartSnoozeScheduleForFeatureUpdates](#update-engagedrestartsnoozescheduleforfeatureupdates)
- [Update/EngagedRestartTransitionScheduleForFeatureUpdates](#update-engagedrestarttransitionscheduleforfeatureupdates)
- [Update/PauseDeferrals](#update-pausedeferrals)
- [Update/RequireDeferUpgrade](#update-requiredeferupgrade)
- [Update/RequireUpdateApproval](#update-requireupdateapproval)
- [Update/ScheduledInstallDay](#update-scheduledinstallday)
- [Update/ScheduledInstallTime](#update-scheduledinstalltime)
- [Update/SetDisablePauseUXAccess](#update-setdisablepauseuxaccess)
- [Update/SetDisableUXWUAccess](#update-setdisableuxwuaccess)
- [Update/UpdateNotificationKioskMode](#update-updatenotificationkioskmode)
- [Update/UpdateServiceUrl](#update-updateserviceurl)
<!--EndIoTCore-->

1
windows/configuration/TOC.md
View File

@ -122,6 +122,7 @@
#### [UniversalAppUninstall](wcd/wcd-universalappuninstall.md)
#### [UsbErrorsOEMOverride](wcd/wcd-usberrorsoemoverride.md)
#### [WeakCharger](wcd/wcd-weakcharger.md)
#### [WindowsHelloForBusiness](wcd/wcd-windowshelloforbusiness.md)
#### [WindowsTeamSettings](wcd/wcd-windowsteamsettings.md)
#### [WLAN](wcd/wcd-wlan.md)
#### [Workplace](wcd/wcd-workplace.md)

2
windows/configuration/change-history-for-configure-windows-10.md
View File

@ -17,6 +17,8 @@ ms.date: 06/27/2018
This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
## June 2018
New or changed topic | Description

33
windows/configuration/wcd/wcd-windowshelloforbusiness.md Normal file
View File

@ -0,0 +1,33 @@
---
title: WindowsHelloForBusiness (Windows 10)
description: This section describes the Windows Hello for Business settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
ms.topic: article
ms.date: 07/19/2018
---
# WindowsHelloForBusiness (Windows Configuration Designer reference)
>[!WARNING]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Use WindowsHelloForBusiness settings to specify whether [FIDO2 security keys for Windows Hello for Business ](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/) can be used to sign in to Windows on a device configured for [Shared PC mode](wcd-sharedpc.md).
## Applies to
| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
| [SecurityKeys](#securitykeys) | X | | | | |
## SecurityKeys
Select the desired value:
- `0`: security keys for Windows Hello for Business are disabled.
- `1`: security keys for Windows Hello for Business are enabled on [Shared PCs](wcd-sharedpc.md).

3
windows/configuration/wcd/wcd.md
View File

@ -8,7 +8,7 @@ author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
ms.topic: article
ms.date: 04/30/2018
ms.date: 07/19/2018
---
# Windows Configuration Designer provisioning settings (reference)
@ -78,6 +78,7 @@ This section describes the settings that you can configure in [provisioning pack
| [UniversalAppInstall](wcd-universalappinstall.md) | X | X | X | X | X |
| [UniversalAppUninstall](wcd-universalappuninstall.md) | X | X | X | X | X |
| [WeakCharger](wcd-weakcharger.md) |X | X | X | X | |
| [WindowsHelloForBusiness](wcd-windowshelloforbusiness.md) | X | | | | |
| [WindowsTeamSettings](wcd-windowsteamsettings.md) | | | X | | |
| [WLAN](wcd-wlan.md) | | | | X | |
| [Workplace](wcd-workplace.md) |X | X | X | X | X |

2
windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
View File

@ -68,7 +68,7 @@ This table indicates the functionality and features that are available in each s
State | Description | [Real-time protection](configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | [Limited periodic scanning availability](limited-periodic-scanning-windows-defender-antivirus.md) | [File scanning and detection information](customize-run-review-remediate-scans-windows-defender-antivirus.md) | [Threat remediation](configure-remediation-windows-defender-antivirus.md) | [Threat definition updates](manage-updates-baselines-windows-defender-antivirus.md)
:-|:-|:-:|:-:|:-:|:-:|:-:
Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)]]
Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
Active mode | Windows Defender AV is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender AV app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
If you are enrolled in Windows Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Windows Defender AV service](../windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md) in order to properly monitor your devices and network for intrusion attempts and attacks.